Acunetix WVS Build History

Build v6.5.20090519 - 20th May 2009
 - NEW VERSION

 New Features:

  • File upload forms vulnerability checks
  • New Login Sequence Recorder; supports much more authentication forms and web technologies
  • Session Auto Recognition module; if the session is invalidated or logged out during crawling, the scanner will automatically replay the login sequence without the need of manual intervention
  • Actions drop down menu; for each selected node, the actions drop down menu is activated showing all possible functions
  • Much more checks and alerts for JSP, Java and Tomcat web server

Major Improvements:

  • Improved cookie management and session handling to support modern dynamic websites
  • Port scanner and Network Alerts results will appear  in a separate node in the results tree
  • Users can import Version 6 settings to Version 6.5
  • Added blind SQL injection timing test using MySQL's sleep and MS SQL's waitfor function.  This will help in discovering particular blind SQL injections that do not report a change on the page

Build v6.1.20090211 - 11th February 2009

 General improvements:

  • CSA engine now supposrts jQuery and Yahoo! UI JavaScripts libraries
  • Added component in scanner to search for links in HTML comments and Flash (SWF) strings
  • Created an ASL.1 parser which can parse X509 Certificates
  • Improved Crawler; improved Wivet coverage to 94%
  • Added more JBoss configuration tests
  • Added more Tomcat tests
  • Added more web server configuration checks for server path, internal IP and username/password disclosure
  • Improved RSS/Atom parses
  • Added more attack vectors to source code disclosure and directory traversal tests for both Windows and Unix

Bug Fixes:

  • Reporter now filters very long knowledge base items
  • Fixed SSL3, TLS1 parsing issues
  • Fix in Crawler to handle better query variable in start URL's

Build v6.0.20081209 - 9th December 2008

General improvements:

  • Optimized large portions of the code to improve speed
  • Optimized Progress text for scripts and port scan
  • Show progress on ScanInfo frame

Bug Fixes:

  • Module tm_backup_files - can make tests like {filename}{test}{extension} (e.g. file1.php from file.php)
  • Crawler was not sending the custom cookies for the first request reporter crash on settings read (only try/except)
  • Fixed crash in "import scan results to database" when the scan was running
  • SSL certificate validity year fix
  • Fixed a bug in parameter manipulation. Crashing when Combination was nil (no values)
  • Error in interpreting redirections of type "?getvar=value"
  • Fixed jsessionid session fixation test
  • Fixed Activation in v6 for Vista.
  • Fixed a problem with Authentication Tester (the app was not recovering when an invalid protocol was specified as target) - Reported by Harutyun Sardaryan
  • Fixed a crash in HTTP Fuzzer - Reported by Harutyun Sardaryan
  • Fix in Blind SQL Injector: On UNION SELECT based string extraction when httpencoding is applied the last char was eaten

Build v6.0.20081028 - 28th October 2008 - NEW VERSION

New tools / Applications:

General improvements:

  • Pause and Resume scan functionality
  • Option to mark an alert as false positive
  • Support for NTLM v2
  • Scanner can now gather a list of uncommon HTTP responses
  • Scanner can automatically stop if a number of network errors occure or web server does not respond.

User Interface improvements:

  • Compare results tool now compares also Knowledge Base items and list of open web server ports
  • Possibility to quickly locate a vulnerability by using a filter while before only search was allowed
  • In Scanning profiles and Vulnerability Edior vulnerabilities are automatically sorted by name
  • In HTTP Fuzzer results can be sorted by clicking on header columns and changes in Fuzzer filters are automatically reflected in results window

Scheduler improvements:

  • All scanning options are now available in scheduler
  • Option to configure the day of the week or month for a scheduled scan
  • Option to configure scan exclusion hours, i.e. when an ongoing scan should be paused and resumed

Build v5.1.70829 - 4th September 2007

  • Huge improvement in memory handling! - Memory handling is now done in a much more efficient way and temporary data is now stored by default onto the hard drive freeing up a LOT of system memory especially when dealing with large websites.
  • Introduced pre-conditions to various vulnerability tests - this will check if vulns can actually exist in a certain environment before starting to test for then - thus avoiding checking for vulnerabilities in vain and at the same time speeding up the scanning time.
  • Summary view for alert nodes - avoids long delays in displaying all alerts under a node
  • Added "Current Test" information to the scan information view
  • Improvements in HTTP Fuzzer
  • Fixed Javascript issue with parsing certain websites
  • Fixed validation when saving login sequence file
  • Fixed crash with error "sitefile parts already loaded"
  • Fixed Web Services Scan Wizard detection of Inputs for particular WSDL URLs
  • Fixed Web Services Scaner crash when clicking on some elements of the tree structure

Build v5.0.70621 - 25th June 2007

  • Tweak in Heuristic scanning mode for improved memory management
  • Enabled by default save crawling data to disk
  • Added Day and Month to timestamps in Activity Window
  • Small text changes in crawler settings
  • Elevation of privileges OS vulnerability fix

Build v5.0.70604 - 11th June 2007 - NEW VERSION

New Tools / Applications:

  • Subdomain Scanner
  • Web Services Scanner
  • Web Services Editor
  • Reporter Application

General Improvements:

  • Microsoft WindowsVista Support
  • Visual Interface Improvements with new graphics and buttons
  • Source View in various parts of the product
  • Password protection for all Acunetix Tools and applications
  • Upgrading from Previous Versions/Builds keeps all Settings and Configurations

Reporting Improvements:

  • New Reporter Application
  • Detailed Scans View from the Database
  • Standard Report Templates: Developer, Executive, Vulnerability
  • Scan Comparison Templates
  • Statistical Templates: Yearly, Monthly, etc..
  • Compliance Reports Templates: PCI, Sarbanes-Oxley, HIPAA, etc..

Crawler Improvements:

  • Manual Choice of Files from the Site Structure
  • Directory Recursion (loop) Detection
  • URL Rewrite Detection and Warning to User
  • Improved Filtering (replacing the old search functionality)

Scanner Improvements:

  • New Scanning Mode Option: Quick, Heuristic and Full
  • Multi-Step Scanning
  • Stored XSS Tests
  • Header Manipulation
  • Improved Blind SQL Injection Tests
  • Improved Mod_Rewrite Support
  • Improved Filtering (replacing the old search functionality)
  • Grouping of Test Variants
  • Sitemaps Support
  • Added New Vulnerability Tests

Scheduler Improvements:

  • Support for Web Services Scheduled Scans
  • New options for Source and Output of Scans
  • Mail Notifications

Command Line Improvements:

  • New options added to support more functions like the full application
  • Web Services Scans
  • Mail Notifications

Database Improvements:

  • Significantly Reduced DB Size by 90% while keeping the same details and more!
  • New Database Structure (conversion tool available to upgrade from v4 structure)

New Features
Added a test for PHP-CGI remote code execution (http://www.exploit-db.com/exploits/29290/)
Added a test which checks for SSL certificates with a Public Key length less than 2048 bit (http://www.geotrust.com/resources/2048-bit-compliance/)
Added a test that checks for Microsoft IIS server service.cnf file

Improvements
Improved XSS testing script.
From an alert, clicking on the affected file takes the user to the file in the site structure. This is useful when additional information on the affected file is required (such as the referrers in the case of Broken links, or the source of the web page)
DOM XSS alerts will include more information (such as the HTML written for document.write)
Improved Code Execution script to find more specific issues and reduce the number of requests performed

Bug Fixes
Fixed an issue causing a deadlock.
Fixed false positives shown in broken links
Fixed some false positives with Script_Source_Code_Disclosure.script
Fixed DOM XSS false positives
Fixed an issue with Analyze_Parameter_Values script causing the script not to parse relative paths correctly
Fixed false positives with Slow HTTP Denial Of Server script